The following reply was made to PR mod_log-any/5747; it has been noted by GNATS.
From: Marc Slemko <[EMAIL PROTECTED]>
To: Apache bugs database <[EMAIL PROTECTED]>
Cc:
Subject: Re: mod_log-any/5747 (fwd)
Date: Mon, 21 Feb 2000 11:41:17 -0700 (MST)
---------- Forwarded message ----------
Date: Sat, 12 Feb 2000 15:57:25 -0500 (EST)
From: TTSG <[EMAIL PROTECTED]>
To: Marc Slemko <[EMAIL PROTECTED]>
Subject: Re: mod_log-any/5747
>
> Sorry, I think you had better look again. The client doesn't send it,
> period. If it did sent it in some cases, then that would be a major
> security hole and should be fixed in the client. As it is, allowing this
> to be specified in the URL is a security hole and should never have been
> implemented by browsers. The way it is implemented is a hack that only
> partially works and has numerous problems.
>
From a Netscape server log :
format=%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] "%Req->reqpb.clf-re
uest%" %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length% "%Req->headers.r
ferer%" "%Req->headers.user-agent%"
208.33.224.36 - - [12/Feb/2000:12:54:27 -0800] "GET /protected/news2.htm
HTTP/1.
0" 401 223 "http://furer:[EMAIL PROTECTED]/mea1x.htm" "Mozilla/4.03 [en]
(Win95;
I)"
Tuc/TTSG
